On Wednesday, February 23, 2022 12:05:43 PM EST John Levine wrote: > It appears that Scott Kitterman <[email protected]> said: > >> It looked like the tree walk to find the policy domain was different from > >> the one to find the org domain. If they're the same, that makes things > >> simpler and we now have to nail down exactly what that tree walk is: > >> first > >> record, last record before a PSD? ... > > > >lookups in order to find out when to stop. I like walk up for policy and > >walk down for org domain determination, but it's not essential. > > Hold it, this is a very incompatible change from 7489. > > As it stands now, the policy domain is either the domain itself or the org > domain. > > You appear to be proposing that the policy domain might be the domain > itself, or the org domain, or some other domain in between if it has a > DMARC record. If that's not the proposal, can you clarify? > > I also realize that walking down doesn't save any work since there may be > more than one PSD. For example [email protected] > > uk psd > ac psd > camb DMARC and org > cst DMARC > > If you walk down, and you stop at "uk" you'll get the wrong answer. > You have to keep going because you don't know whether there might be > another PSD. If you walk up you can always stop at the first PSD and > get the right answer. > > If we agree to jump up to the 5th label for longer names, neither > direction will do more than five lookups, but walking up is a lot > easier to explain. > > If there is more than one DMARC record between the original name and > the top or a PSD, there is still the question of when to use the first > (lowest) and when to use the last. My proposal is that we always use > the first, for policy, for relaxed alignment, for what we call an org > domain, for everything else. It's easy to explain, and it makes the > foo.us.com hack less likely.
More than one PSD is a good point. Never mind about walking down. Leaving that aside, then I think it's: 1. Lookup DMARC record for the 5322.From domain. If found, that's the policy. 2. Walk up from up to 5 levels in the DNS hierarchy and the last (shortest) non-PSD DMARC record you find is the org. I think that matches the RFC 7489 discovery approach, just not using PSL. Is that right? Scott K _______________________________________________ dmarc mailing list [email protected] https://www.ietf.org/mailman/listinfo/dmarc
